> > In "closing" ports, one has the option - nay one is recommended - to
> > use the "DROP" target which has the desired effect of which you speak.
>
> It is probably a very good idea to actually REJECT ident (113/tcp) lookups
> rather than drop them. It is very common to have reverse ident lookups do
> to your activity, and a DROP will cause a delay that is not needed. This
> particular item is normal and not a security concern in and of itself. As a
> matter of fact, it is so common, it is good to not even log it.

Good advice. I will heed it.
So, accept 113/tcp and ICMP packets. Anything else? Oh, a judicious use of
"--limit" may also be a good idea.
dreamwolf
--
gentoo-security@g.o mailing list